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Abstract 

In  this  paper  we  pose  and  begin  to  explore  a  deductive  problem  more  general 
than  that  of  finding  a  proof  that  a  given  goal  formula  logically  follows  from  a 
given  set  of  hypotheses.  The  problem  is  most  simply  stated  in  the  propositional 
calculus:  given  a  goal  A  and  hypothesis  H  we  wish  to  find  a  formula  P,  called  a 
precondition,  such  that  A  logically  follows  from  P  A  H.  A  precondition  pro- 
vides any  additional  conditions  under  which  A  can  be  shown  to  follow  from  H.  A 
slightly  more  complex  definition  of  preconditions  in  a  first-order  theory  is 
given  and  used  throughout  the  paper.  A  formal  system  based  on  natural  deduction 
is  presented  in  which  preconditions  can  be  derived.  A  number  of  examples  are 
then  given  which  show  how  derived  preconditions  are  used  in  a  program  synthesis 
method  we  are  developing.  These  uses  include  theorem  proving,  formula  simplifi- 
cation, simple  code  generation,  the  completion  of  partial  specifications  for  a 
subalgorithm,  and  other  tasks  of  a  deductive  nature. 

0.  Introduction 

Traditionally,  the  subject  of  automatic  theorem  proving  has  dealt  with  the 
problem  of  finding  a  proof  that  a  given  goal  formula  A  logically  follows  from  a 
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given  hypothesis  H.  In  this  paper  we  pose  a  more  general  deductive  problem  and 
suggest  that  systems  for  solving  this  more  general  problem  can  extend  the  util- 
ity of  deductive  mechanisms,  and  provide  a  framework  for  overcoming  some  prob- 
lematic features  of  current  theorem  provers.  The  problem  is  most  simply  stated 
in  the  propositional  calculus:  given  a  goal  A  and  hypothesis  H  we  wish  to  find  a 
formula  P,  called  a  precondition,  such  that  A  logically  follows  from  P  A  H.  In 
other  words  a  precondition  provides  any  additional  conditions  under  which  A  can 
be  shown  to  follow  from  K. 

A  formal  system  in  which  preconditions  can  be  derived  is  described  in  sec- 
tion 2.  Each  rule  in  this  natural  deduction-like  system  has  a  reduction  com- 
ponent which  reduces  a  goal  Aq  to  subgoals  A^  ,A2»  •  •  •  ,A^.  and  a  composition  com- 
ponent which  composes  preconditions  of  subgoals  A^  ,A2> • • • ,A^.  to  form  a  precondi- 
tion of  Aq. 

After  presenting  basic  terminology  in  section  1  a  formal  system  for  deriv- 
ing preconditions  is  given  in  section  2.  A  number  of  examples  are  presented  in 
section  3  which  show  how  derived  preconditions  are  used  in  a  program  synthesis 
method  we  are  developing  [9,10].  These  uses  include  theorem  proving,  formula 
simplification,  simple  code  generation,  the  completion  of  partial  specifications 
for  a  subalgorithm,  and  other  tasks  of  a  deductive  nature. 

1 .  Terminology 

The  examples  given  below  are  drawn  from  a  program  synthesis  system  which 
works  within  a  many-sorted  first-order  theory  TT.  The  theory  includes  data 
types  such  as  IT  (natural  numbers),  LIST (IT)  (linear  lists  of  natural  numbers), 
and  BAGS(IN)  (multisets  of  natural  numbers).  We  will  use  the  (possibly  sub- 
scripted) symbols  i,j,k  for  variables  ranging  over  IT,  x,y,z  for  variables  over 
LIST(IT),  and  B  as  a  variable  over  BAGS(IT).  The  theory  also  includes  a  number 
of  functions  and  predicates  defined  on  these  types  and  axiomatic  specifications 
of  their  interactions.  The  notions  of  term,  atomic  formula,  literal,  and 
(well-formed)  formula  have  their  usual  definitions  [5].  Let  T  and  P  be  proposi- 
tional constants  which  have  the  values  true  and  false  respectively  in  all  models 
of  TT.  We  make  use  of  a  distinguished  subset  of  the  theorems  of  TT  called  known 
theorems  which  are  assumed  to  be  immediately  available  to  the  deductive  system. 
The  set  of  known  theorems  may  change  over  time  but  initially  includes  all  axioms 
of  TT.   All  of  the  known  theorems  required  by  the  examples  are  listed  in  the 
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appendix. 

Let  Q^x^  Q.2X2" '^ri^n  ^  be  a  closed  formula  not  necessarily  in  prenex  form 
where  Q^  is  either  3  or  V  for  i=1,2,...,n.  A  x-jX^*  •  •xn-precondition  of 
Q-jX-j  Ql2x2" '^n^n  ^  ^s  a  quantifier-free  formula  P  dependent  only  on  variables 
x-j  ,Xp»  —  »xn  such  that 

Q1x1Q2x2...Qnxn[  P=^G  ] 

is  valid  in  TT.  P  is  also  a  weakest  x-j x2 •  •  ^-precondition  if 

Q1x1Q2x2...Qnxn[  P=G  ] 

is  valid  in  TT. 

Two  well-known  special  cases  of  these  concepts  can  be  given.  First,  if  T 
can  be  derived  as  a  x^x2«  •  -x^-precondition  of  a  goal  Q^x-j  Q2x2-  ••Qnxn  G  then  the 
derivation  is  in  fact  a  proof  of  the  validity  of  Q^x-j  Q2x2 . . .  Qnxn  G  since 

Q1x1Q2X2...Qnxn  [T=^G]   =  Q1x1Q2x2...Qnxn  G 

Therefore  any  system  for  deriving  preconditions  can  also  be  used  for  theorem 
proving.  Second,  Dijkstra's  concept  [3]  of  a  "weakest  pre-condition"  WP(S,R)  of 
a  program  S  with  respect  to  post-condition  R  may  be  defined  as  a  weakest  q- 
precondition  of 

Vq3k3p[  TERMINATE^, q,k,p)  A  R(p))  ] 

where  TERMLMTE(S,q,k,p)  holds  iff  program  S  activated  in  initial  state  q  ter- 
minates within  k  steps  (assuming  a  suitable  definition  of  a  program  step)  in  a 
final  state  p.  I.e., 

\/q[  WP(S,R)[q]  =  3k  3p  TERMINATE^, q,k,p)  A  R(p)  ] 

Our  program  synthesis  method  is  not  directly  related  to  Dijkstra's  approach  to 
algorithm  design  [3]. 

In  general  a  given  goal  may  have  many  preconditions.  Characteristics  of  a 
useful  precondition  seem  to  depend  on  the  application  domain.  In  program  syn- 
thesis we  generally  want  preconditions  which  are  a)  easily  computable,  b)  in  as 
simple  a  form  as  possible,  and  c)  as  weak  as  possible.  (Criterion  (c)  prevents 
the  boolean  constant  P  from  being  an  acceptable  precondition  for  all  goals.) 
Clearly  there  is  a  tradeoff  between  these  criteria.  We  are  currently  investi- 
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gating  the  possibility  of  measuring  each  criterion  by  a  separate  heuristic  func- 
tion, then  combining  the  results  to  form  a  net  complexity  measure  on  precondi- 
tions. For  reasons  to  be  discussed  later  we  assume  that  such  a  complexity  meas- 
ure ranges  over  a  well-founded  set  (such  as  E  under  the  usual  <  relation)  and 
that  we  seek  to  minimize  complexity  over  all  preconditions.  In  this  paper  how- 
ever we  are  mostly  concerned  with  setting  up  a  formal  system  within  which 
preconditions  can  be  derived,  and  showing  how  to  solve  some  program  synthesis 
problems  using  it. 

2.  A  Formal  System  for  Deriving  Preconditions 
2.1_  Goal  Preparation 

In  presenting  a  set  of  rules  which  allow  us  to  derive  preconditions  we  use 
the  notation  g  to  denote  the  statement  that  well-formed  formula  A  logically  fol- 
lows from  the  set  of  hypotheses  H  in  TT,  i.e. ,  h1  A  h2  A  • • •  A  \  =>  A  is 
valid  in  TT  where  H  =  jh-,  ,h2,  •  •  -hkj . 

A  goal  statement  ^  and  the  known  theorems  of  TT  are  prepared  as  follows. 
First,  all  occurences  of  equivalence  (=)  and  implication  (  =£>  )  signs  are  elim- 
inated and  negation  signs  are  moved  in  as  far  as  possible.  H  and  the  known 
theorems  of  TT  are  then  skolemized  in  the  usual  way  [5],  i.e.,  existentially 
quantified  variables  are  replaced  by  skolem  functions  of  the  universally  quanti- 
fied variables  on  which  they  depend.  Quantifiers  are  then  dropped  with  the 
understanding  that  all  remaining  variables  are  universally  quantified.  The  goal 
A  is  skolemized  in  a  dual  manner  with  universally  quantified  variables  replaced 
by  skolem  functions  of  the  existential  variables  on  which  they  depend.  All 
quantifiers  are  then  dropped  with  the  understanding  that  all  variables  in  A 
which  remain  are  existentially  quantified.  The  preparation  of  A  is  equivalent 
(via  duality  of  goals  and  assertions)  to  preparing  -A  as  an  hypothesis  then  tak- 
ing the  negation  of  the  result  as  our  prepared  goal. 

2.2  Reduction/Composition  Rules 

Rules  which  reduce  a  goal  statement  to  two  subgoal  statements  are  expressed 
in  the  following  form: 
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<p0>  a0  e0 


<p.,>  a1  e1    <p2>  a2  e2 


where  Aq,A-j  ,  and  A2  are  goal  formulas,  Hq,  E|  ,  and  Ho  are  sets  of  hypo  theses, 
6q,  9-j ,  and  62  are  substitutions,  Pq,  P^ ,  and  P2  are  formulas  (the  derived 
preconditions),  and  9  is  either  V  or  A-  A  rule  of  this  form  asserts  that  if 
P^  is  a  (weakest)  precondition  of  H^9j_  =£  Aj_9^  where  i=1  ,2  then  Pq  is  a  (weak- 
est) precondition  of  Hq6q  =>  Aq6q.  Pq  generally  is  P^  9  P2-  Substitution  9q 
is  formed  from  substitutions  9^  and  92  in  ways  that  depend  on  ®. 

If  ©  is  A  then  9q  is  the  unifying  composition  of  Qa  and  90,  denoted  uc(9-|  , 
92)  [7].  If  9q  =  uc(9-j  ,99)  then  9q  is  a  most  general  substitution  such  that  for 
any  literal  L 

(L^)9q  =  (IA0)Q<    =  L9q  =  (L92)90  =  (L90)92> 

uc(9^ ,92)  may  be  computed  by  finding  the  most  general  unifier  of 

(t1 , •••»tn,tn+1 , •••,tn+m) 

(Vl,...,vn,vn+1,...,vn+m) 

where 

91  =  jt^v,  ,  ...,tn/vn} 

e2  =  ^n+1  /vn+1  » ' ' '  ^n+nAn+J  ' 

If  these  expressions  cannot  be  unified  then  the  result  is  a  special  atom  NIL. 
For  example, 

uc({a/z|,{b/z})  =  NIL 

uc(| j,{a/zj)  =  ja/zj 

uc(|f(x)/z},|f(a)/z|)  =  |f(a)/z,a/xj 

If  9  is  V  then  9q  is  formed  by  the  disjunctive  composition  of  ?^  ,  9-j ,  ?2 
and  90,  which  is  denoted  dc(P^ ,01 ,?2,92) .  The  disjunctive  composition  may  be 
computed  as  follows  assuming  that  the  derived  preconditions  ?1  and  ?2  contain  no 
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variables.  Let  {S.|  ,S2, .  •  •  ,Sm}  be  the  set  of  skolem  function  names  in  P^  which 
come  from  the  top  level  goal  in  the  current  deduction.  For  example  if  the  top 
level  goal  is  Q(u,f1(u))  =»  R(x,f2(x)ff«)  and  P1  is  W(f,  (f^)  ,g2(fj) )  then 
{f|  ,f*}  is  the  set  of  skolem  function  names  in  P-]  which  comes  from  the  top  level 
goal.  Let  P-j  (y* , . . .  ,yO  be  the  formula  resulting  from  the  replacement  of  each 
occurence  of  skolem  function  Sj  by  variable  y  •  in  P^  .  In  the  above  example 
p1  (y-l  >y2)  denotes  W(y.j  ,g2(y2)) .  Function  dc  is  defined  as  follows. 

dc(P1  ,91  ,P2,92)  =  if  e1=NIL  and  92=NIL  then  NIL 
else  if  P1=T  or  92=NIL  then  9-, 
else  if  P2=T  or  9.,=NIL  then  92 
else  if  91  =  { }  then  90 


else  |hx(S1  ,S2,...,Sm)/x  j  t/xia,  or  t/x€62 


where 


^(y-l  »---,ym)  =  if  P1  (y1 , . . .  ,ym)  then  x01  else  x92- 

Loosely  speaking,  the  disjunctive  composition  of  P1 ,91 ,P2,  and  92  behaves  like 
91  when  P^  holds  and  behaves  like  92  otherwise.  Some  examples: 

dc(aQ>3,  (f^a^/xl,  T,  {sq/x})  =  [s^/x] 

dc(f1>f2(f1),  |f1/Z,f2(f3)/x|,  f1<f2(f3),  {f2(^)/Zff3/x}) 

=  [hz(frf2,f3)/z,  hx(f1,f2,f3)/x} 
where 

hz(yi,y2,y^)  =  if  y<|>y2  then  y"i  eise  y2 

hx(y^  ,J2^)  =   if  yi>y2  then  y2  else  y^ 

A  complete  deduction  involving  a  disjunctive  composition  is  given  in  section 
2.5- 

Rules  which  reduce  a  goal  statement  to  one  subgoal  are  notated 


<P0>  Aq  9q 


<p.,>  a1  e1 


H1 


Occasionally ,  as  in  the  application  of  known  theorems  which  are  implica- 
tions, the  relation  between  goal  and  subgoals  is  not  one  of  equivalence  but 
implication.  Rules  of  this  kind  are  notated 

<p0>  Aq  e0 


t 


<p1  >   a1    e1 


which  asserts  that  if  P-j  is  a  precondition  of  H^9^  =£>  A^  then  Pq  is  a  precon- 
dition of  H^Gq  =$>  Aq9.  For  rules  of  this  kind  we  cannot  assert  that  Pq  is  a 
weakest  precondition  of  HqGq  =$•  Aq9q  even  if  P..  is  known  to  be  a  weakest 
precondition  of  H^  9..  =£  A-j  9.  . 

The  following  rules  are  for  the  most  part  extensions  of  typical  goal  reduc- 
tion rules  [2,5,8]. 

R1 .  Reduction  of  Conjunctive  Goals 


<p1  A?2>     A  A  b     uc(e1fe^) 

H 


<p<i>   a   e1 

H 


<p2>    b   e2 

H 


R2.  Reduction  of  Disjunctive  Goals 


<P1  V  ?2>   A  V  3   dc(P1,91,P2,92; 
H 


<P1  >  A  91 
H 


<P2>  B  9. 

H 
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R3.  Reduction  of  Conjunctive  Hypotheses 


|B  A  CJUH 


_>  a  e 

B,C}  UH 


<p,  V  V     a     dc(P1,e1,P2,e2) 

[B  A  C}UH 


<V     A     91 
B   UH 


<P0>         A         9r 


1 


C|UH 


R4.  Reduction  of  Disjunctive  Hypotheses 


<P1    A  Pp>       A       uc(e1 »e2^ 
IB  V  C|  UH 


<p1  >   a   e1 

{Bl  UH 


<p2>   a   e0 

tC}  UH 


R5.  Application  of  an  Equivalence  Formula 


<p>  a  ee1 

H 


C=B  is  a  known  theorem  of  TT 
or  an  hypothesis  in  H  and  6  unifies  JA,BJ 


<P>  B6  e 

H 


R6.  Application  of  an  Implications!  Formula 


<P>  A  ee-i 

H 


if  C=^B  is  a  known  theorem  of  TT  or  hypothesis  in  H, 

and  D  is  C6  where  9  unifies  |A,B} 
or  D  is  ~B9  where  9  unifies  {A,~CJ  or  [~A,C] 


<P>  D  e 
H9 
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R7»  Forward  Inference  from  an  Hypothesis 


<p>  ,  a  e 

|B}UH 

if  D=»E  or  DsE  is  a  known  theorem  of  TT 


,<P>  A  9 
{B,E61  J  UH 


or  hypothesis  in  H  and  &  unifies  {B,D 


R8.  Goal/Hypothesis  Duality  rules 

R8a 

<P>  ~B  V  A  e 

H 


<p>  .  a  e 

B  UH 


R8b 

<P>  .  A  e 
B  UH 


<P>  ~B  V  A  9 

H 


R9«  Substitution  of  Equal  Terms 


<P>  A(r)  0 
H 


<P>  A(s)  6 

H 


R10.  Conditional  Equality  Substitution 


if  r=s  is  an  hypothesis  in  H 
or  a  known  theorem  of  TT 


<P1AP2>  A(r)  uc(e1,e2) 
H 
y^v  if  B  =?>  s^  =  So  is  an  hypothesis 

/         ^\  or  a  known  theorem  and  9q  unifies  jr,s.j  | 

<p.,>  A(s2)e0  e1   <p2>  se0  e2 


He 


b 


He 


o 


2.3  Primitive  Goals 

There  are  several  types  of  primitive  goal  statements  in  our  system.   Each 

are  described  by  notations  of  the  form       „     which  assert  that  ?  is  a 

n 


_Q_ 


precondition  of  H0  =»  A6  if  the  associated  condition  holds. 

P1  .   <T>  A  9    if  q  unifies  {a,b|  where  B  is  a  known  theorem  of  TT  or  B€H 

P2.   <F>  g  NIL  if  9  unifies  JA,~B}  or  j~A,BJ,  where  B  is  a  known  theorem  of 

TT 

In  addition  to  P1  and  P2  any  goal  with  a  null  hypothesis  may  be  taken  as  primi- 
tive: 


p^  <A*>  A 


k  .m 

if  A  has  the  form  V  Ai  ^d  A'  has  the  form  V  Ai   where 
i=1  x  3=1   J 

{A±  .}j=i  ,m  C   lAili=i,k  and   for  each  J'  1iJ'im'  Ai.  depends 

J  u 

on  the  variables  x-i  ,Xo,  ••  .,Xj-  only  when   we   seek   a 
x-j  ,X2>  •  •  •  ,xn-precondition. 

Primitive  goals  of  type  P1  and  P2  yield  weakest  preconditions  but  in  general 
primitive  goals  of  type  P3  do  not.  Note  that  any  goal  statement  can  be  con- 
verted to  an  equivalent  goal  with  a  null  hypothesis  by  repeated  applications  of 
rule  R8b. 


2.4  The  Deduction  Process 

The  derivation  of  a  precondition  of  goal  statement  4  can  be  described  by  a 
two  stage  process.  In  the  first  phase  rules  are  repeatedly  applied  to  goals 
reducing  them  to  subgoals  and  generating  a  goal  tree.  Rules  are  not  applied  to 
a  goal  satisfying  the  primitive  goal  tests  P1  and  P2  or  if  the  goal  has  been 
specially  converted  to  satisfy  P3-  If  for  some  reason,  such  as  limits  on  compu- 
tational resource,  it  is  desired  to  terminate  the  reduction  process  before  all 
subgoals  have  been  reduced  to  primitive  goals  of  type  P1  or  P2,  then  any 
subgoals  waiting  for  rule  application  can  be  converted  to  a  primitive  goal  of 
type  P3-  The  result  of  this  reduction  process  is  a  goal  tree  with  primitive 
goals  as  leaf  nodes. 

The  second  phase  involves  the  bottom-up  composition  of  preconditions  and 
substitutions.  Initially  each  primitive  goal  yields  a  precondition  and  a  sub- 
stitution. Subsequently  whenever  a  precondition  or  substitution  has  been  found 
for  each  subgoal  of  a  goal  g  then  a  precondition  and  substitution  is  composed 
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for  g  according  to  the  reduction/composition  rule  employed.  Each  newly  composed 
precondition  is  then  run  through  a  simplification  process  to  be  described  later. 

Usually  several  rules  can  be  applied  to  a  given  goal  .and  each  rule  will 
generate  a  precondition.  In  an  computer  implementation  of  this  system  we  would 
make  use  of  a  complexity  measuring  function  and  select  that  precondition  of 
least  complexity  among  the  alternatives. 

2.5  An  Example 

As  an  example  of  the  use  of  this  system  suppose  that  we  wish  to  show  that 

Vi0Vi1  3i2[(i0<i1  A  i2=0)  V  (i^L,  A  lg-D]  (1) 

is  valid  in  TT  where  iQ,i.j,i2  are  variables  over  II  (natural  numbers).  We  do 
so  by  trying  to  derive  T  as  a  iQi.|  i2-precondition  of  (1).  The  goal  after 
preparation  is: 

(r0<r1  A  i2=0)  V  (i-q^  A  i2  =D 

where  Tq  and  r-i  are  skolem  constants  of  type  IN .  The  derivation  is  depicted 
below  in  figure  1 .  Initially  (1  )  is  reduced  via  rule  R2  to  two  subgoals  then 
each  of  these  subgoals  are  reduced  via  rule  R1  to  two  other  subgoals.  Subgoals 
io  =  0  and  i2  =  1  match  axiom  i=  i  (theorem  nO  in  the  Appendix)  with  substitu- 
tion [0/io}  and  (1/i?}  respectively  and  thus  are  primitive  goals  of  type  P1  . 
Suppose  that  goals  rQ<r^  and  rQ>r^  are  taken  as  primitive  goals  of  type  P5.  The 
composition  phase  now  begins.  Subgoals  rQ<r^  A  i2=0  and  rQ>r^  A  i2=1  yield 
preconditions  (T  A  ro<r1  )  anc^  (^  A  rQ>ri  )  respectively.  A  simplification  pro- 
cess reduces  these  preconditions  to  rQ<r^  and  rQ>r-j  respectively.  The  composed 
substitutions  for  the  immediate  subgoals  of  (1)  are  just  the  unifying  composi- 
tions uc( {O/ioj , {  I)  =  |0/i2|,  and  uc({l/i2j , |  })  =  {l/i2l  respectively.  The 
derived  precondition  of  goal  (1 )  is  (rQ<r^  V  rQ>ri  )  which  simplifies  (via 
theorem  n4)  to  T.  The  composed  substitution  is  the  disjunctive  composition 
(f4  (rQ,r1  )/i2|  where 

fi2(J1  ^2)   =  if  3i<32  then  °  else  1 ' 
The  derivation  shows  that  T  is  a  precondition  of 
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(r0<ri  A  ^(^.r^-O)  V  (r^  A  f^Q,^  )=1 ) 

i.e.,  that  our  original  goal  is  valid.  Furthermore  we  have  obtained  a  substitu- 
tion term  for  the  one  exist entially  quantified  variable  in  (1).  After  requanti- 
fying  we  obtain  the  valid  formula: 

VioVi-iCdo^i    A  fi2(i0,ii)=0)    V  (iQ>ii    A  ^Uo^l  )=1 )]  • 

In  this  example  and  all  that  follow  we  annotate  the  arcs  with  the  name  of 
the  rule  and  theorem  used  and  note  the  primitive  goal  type  of  each  leaf  node. 
Also  in  this  example  we  write  the  simplified  form  of  the  composed  precondition  P 
immediately  under  P.  Hereafter  in  examples  we  will  simply  omit  the  composed 
precondition  in  favor  of  its  simplified  form.  .Also  we  omit  substitutions  when 
they  are  inessential  to  an  understanding  of  a  derivation. 

2.6  Formula  Simplification 

Any  deductive  mechanism  needs  a  means  to  simplify  formulas  which  are  gen- 
erated during  the  deductive  process.  Simplification  can  be  usefully  viewed  as 
the  task  of  finding  a  weakest  precondition  (in  all  variables)  of  formula  A.  The 
search  for  a  simple  weakest  precondition  is  kept  short  by  using  only  a  few  of 
the  known  theorems  of  TT.  The  strategy  followed  in  the  examples  is  to  repeat 


<r0<r.,  V  r^>     (tq<t^    A  i2=0)  V  (r^iv,  A  i2=1 ) 
<T> 


f±2(rQ,T^/±2i 


<r0<ri  A    T>     (r0<ri    A  i2=0)      {0/i2}  <(rQ>r1  )    A  T>     (r^    A  i2=1 )      HA 


<r0<r1> 


<r0<r1 >  r0<r1   { } 

i! 
P3 


<rQ>r1 > 


<T>  i2=0  |0/i2}    <rQ>r1 >  r0>r1 
Pll'nO  n 

Figure  1  . 


<T>  i2=1   [l/i2i 

(} 
P1+n0 
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the  following  sequence  of  rule  applications  until  the  goal  has  been  reduced  to 

literals: 

a)  simplify  the  goal  as  much  as  possible  using  known  equivalence  theorems  of  TT, 

b)  multiply  subexpressions  out  using  p9  and  p10  (DeMorgan's  Laws), 

c)  break  the  result  of  (b)  down  to  subexpressions  using  R1  or  R2. 

The  multiplication  step  allows  us  to  mix  preconditions  which  were  returned  from 
different  branches  of  the  goal  tree. 

A  precondition  generating  mechanism  used  for  simplification  purposes  must 
be  carefully  controlled  in  order  to  avoid  infinite  regress.  One  way  around  this 
problem  is  to  prohibit  simplification  of  preconditions  generated  during  the  sim- 
plification process.  Instead  we  check  whether  the  final  derived  precondition  P 
is  simpler  than  the  initial  goal  formula  A.  If  not  then  A  is  returned  otherwise 
we  attempt  to  simplify  ?.  If  our  complexity  measuring  function  ranges  over  a 
well-founded  set  then  this  simplification  process  will  terminate. 

Suppose  that  we  need  to  simplify  the  expression 

(i>3  V  i=0)  A  (i<3  V  3-0)  (2) 

where  i  and  j  vary  over  M .  The  derivation  in  figure  2a  yields 

(i>0  A  3=0)  V  i=0 

as  a  weakest  precondition  (i.e.  equivalent  form)  of  (2).  The  derivation  in  fig- 
ure 2b  yields 

(i=0  V  3-0)  (3) 

as  a  weakest  precondition.  The  result  is  that  (2)  has  been  simplified  to  (3). 

3.  The  Use  of  Derived  Preconditions  in  Program  Synthesis 

In  this  section  we  show  how  derived  preconditions  can  play  a  central  role 
in  the  design  of  algorithms  [9,10].  Many  of  the  key  steps  in  the  design  process 
involve  finding  a  precondition  of  a  formula  constructed  by  instantiation  of  a 
formula  schema  with  functions,  predicates  and  types  from  the  specification  and 
the  partially  designed  algorithm.  The  resulting  derived  precondition  is  used  to 
either  strengthen  or  complete  some  aspect  of  the  target  algorithm. 

Initially  a  user  supplies  a  complete  formal  specification  of  a  problem 
which  he  desires  to  solve.  The  specification  consists  of  a  naming  of  the  input 
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<(i>o  A  j=o)  V  i=o>    (i>j  V  i=o)  A  (i<3  V  j=o) 

S_XR5+p9,R2 


<i>0  A  j=0>     i>j   A  (i<j   V  j=0)  <i=0>     1=0  A  (i<j  V  j=o) 

v         -  ^5+p9,R2 


<f>    i>j  A  i<j         <i>0  a  j=o>    i>j  A  3=0  <i=o>    i=o  A  (o<j  V  j=o) 

P2+n5  '  /K^    R1 


R5+e1 
<i>0  A  j=0>  i>0  A  j=0 


<i=0>  i=0 


<T>  0<j  V  j=0 

P1+n2 


<i>0>  i>0 

P3 


<j=0>  j=0 
P3 


Figure  2a.  First  pass  at  simplifying  goal  formula  (2) 


<i=o  V  j=o>    1=0  V  (i>o  A  j=o: 


R5+p10,R1 


<i=0  V  j=0>     1=0  V  j=0 


<T>     i=0  V  i>0 
P1+n2 


<i=0>     i=0  <j=0>     3=0 

P3  P3 

Figure  2b.  Second  pass:  simplifying  the  result  of  figure  2a. 

and  output  data  types,  and  two  formulas  called  the  input  and  output  conditions. 
The  types,  functions  and  predicates  involved  in  the  specification  must  be  part 
of  the  language  of  TT.  For  example,  the  problem  of  sorting  a  list  of  natural 
numbers  may  be  specified  as  follows: 

QSORT(x)  =  z  such  that  ORD(z)  A  BAG(x)=BAG(z) 
where  QSORT:  LIST  ( IN )  ->  LIST(U). 
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Here  the  input  and  output  types  are  LIST (IN)  (lists  of  natural  numbers).  There 
is  no  input  condition  (except  the  implicit  condition  of  the  input  type)  and  the 
output  condition  is  ORD(z)  A  BAG(x)=BAG(z)  where  ORD(z)  holds  iff  the  list  z  is 
in  nondecreasing  order,  and  BAG(x)=BAG(z)  holds  iff  the  multiset  (bag)  of  ele- 
ments in  x  and  z  is  the  same. 

We  will  construct  a  divide  and  conquer  algorithm  (quicksort)  of  the  form: 

QSORT(x)  =  if 

PRIM(x)  -»  QSORT  :=  f(x)  Q 

~PRIM(x)  ->  (x1,x2)  :=  DECOMPOSE(x); 

(zvz2)  :=  (QS0RT(x1),QS0RT(x2)); 
QSORT  :=  C0MP0SE(z1,z2) 
fi 

where  PRIM  is  a  predicate  which  determines  when  to  terminate  recursion,  f  is  a 
function  which  provides  a  solution  for  primitive  inputs,  DECOMPOSE  and  COMPOSE 
are  decomposition  and  composition  functions  respectively.  In  this  program 
schema  PRIM,  f ,  DECOMPOSE,  and  COMPOSE  are  uninterpreted  functions  whose  value 
we  have  to  determine.  The  if-fi  construct  is  Dijkstra's  nondeterministic  condi- 
tional statement  [3].  Associated  with  the  algorithm  schema  is  a  correctness 
schema  which  will  be  introduced  later. 

The  first  step  in  the  synthesis  process  involves  the  representation  of  the 
users  problem  by  a  problem  reduction  model  [10].  This  format  extends  the 
specification  of  a  problem  and  restricts  the  type  of  algorithms  which  can  be 
used  to  solve  the  problem  to  one  of  a  small  number  of  algorithms  which  work  by 
problem  reduction.  For  present  purposes  the  relevant  parts  of  the  representa- 
tion for  QSORT  are: 

a)  a  relation  IDR,  called  the  input  decomposition  relation,  which  constrains  the 
way  in  which  input  Xq  can  be  decomposed  into  objects  x-j  and  x2  and  serves  as  a 
partial  output  condition  on  subalgorithm  DECOMPOSE  in  the  divide  and  conquer 
schema: 

EDR(x0,x1  ,x2)  =*  BAG(x0)=BAG(x1  )  UBAG(x2) 

where  B-.  UB9  denotes  the  bag-union  of  bags  B.|  and  B2. 

b)  a  relation  OCR,  called  the  output  composition  relation,  which  constrains  the 
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way  in  which  output  object  zQ  can  be  formed  from  objects  z-j  and  z2  and  serves  as 

a  partial  output  condition  on  the  subalgorithm  COMPOSE: 

0CR(zQ,z1 ,z2)  m   BAG(zQ)=BAG(z1  )  UBAG(z2) 

c)  a  well-founded  ordering  relation  >-  on  LIST (IN)  is  used  to  ensure  that  the 
target  program  terminates  on  all  inputs: 

x0>-x1  »  LG(x0)>LG(x1  ) 
where  the  function  LG-(x)  returns  the  length  of  the  list  x. 

3.1  Checking  and  Enforcing  Compatibility  in  the  Representation 

The  representation  of  the  user's  problem  by  a  problem  reduction  model  is 
constructed  by  heuristic  means.  A  formula  expressing  the  mutual  compatibility 
of  various  parts  of  the  model  is  constructed  and  an  attempt  is  made  to  verify 
it.  If  the  derived  precondition  P  is  T  then  the  parts  are  compatible  otherwise 
we  use  P  to  modify  the  model  to  ensure  compatibility.  For  example  we  want  the 
input  decomposition  relation  IDR  to  be  compatible  with  the  well-founded  ordering 
^ ,  in  the  sense  that 

VxQVx1  \/x2   [IDR(x0,x1  ,x2)      =»      x0>-x1    A  Xq>-x2] 

i.e.,  if  Xq  can  decompose  into  lists  x-j  and  x0  then  x<  and  x2  must  both  be 
smaller  than  Xq  under  the  >•  relation.  After  substituting  in  the  form  of  IDR 
and  the  well-founded  ordering  for  the  QSORT  example,  and  preparing  the  formula 
we  obtain  the  goal: 

BAG(a0)=BAG(a1)  UBAG(a2)      =»     LG(a0)>LG(a1  )    A  LC-(aQ)>LG(a2)  (4) 

where  aQ,a-j ,  and  a2  are  skolem  constants  for  the  (universally  quantified) 
variables  Xq,  X-j  ,  x2-  The  derivation  of  a  XqX^ ^-precondition  of  (4)  is  given 
in  figure  3-  The  resulting  precondition  is 

BAG(x0)=BAG(x1)UBAG(x2)  =»  LG(X1  )>0  A  LG(x2)>0 

which  means  that  IDR  is  not  strong  enough  to  imply  the  consequent  of  the  origi- 
nal goal.  Prom  the  definition  of  preconditions  it  follows  that  the  conjunction 
of  IDR  and  the  derived  precondition  will  in  fact  imply  the  consequent  of  (4)- 
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<Q>     BAG(x0)=BAG(x1)UBAG(x2)    =*>    LG(xQ)>LG(x1  )    A  LG(xo)>LG(x2) 

R8a 

<Q>     LG(x0)>LG(x1)    A  LG(xD)>LG(x2) 
|BAG(x0)=BAG(x1  )  UBAG(x2) } 


<Q-|>     LG(x0)>LG(x1  ) 
|BAG(x0)=BAG(x1  )  UBAG(x2) 


R7+lb2 


<Q2>     LG(xq)>LG(x2) 
(BAG(x0)=BAG(x1  )  UBAG(x2; 


R7+lb2 


<Q]>     LG 

U 

D)>LG(x1  ) 

H 

<Q2>     LG(xq )>LG(x2) 

H 

R9 

R9 

<Q.,>     LG(x1  )+LG 

(x2)>LG(Xl) 

a 

R5+n6 

<Q2>     LG( 

x1 

)+LG(x2)>LG(x2 

H 
R5+n6 

«V 

LG(x2)>0 
H 

<Q2> 

LG(X1 )>0 
H 

R8b 

R8b 

<Q-,> 

Pi 

n 

<Q2> 

Q2 

>3 

■ 

>3 

whprp 

Q1    is  BAG(x0)=BAG(x1  )  UBAG(x2)  =»LG(x2)>0 

Q2  is  BAG(x0)=BAG(x1  )  UBAG(x1  )  =^LG(x2)>0 

Q  is  BAG(x0)=BAG(x1  )  UBAG(x2)  =>  (LG(x2)>0   A  LG(x1  )>0) 

H  =   {BAG(x0)=BAG(x1 )  UBAG(x2) ,LG(xQ)=LG(x1 )+LG(x2)j 

Figure  3-  Checking  Compatibility  of  IDR  and    >• 
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Thus  we  can  form  a  new  strengthened  input  decomposition  relation  IDR'  where 

IDR'  (xq,x1  ,x2)  ^IDR(x0,x1  ,x2)  A[BAG(x0)=BAG(x1  )  UBAG(x2)  =»IG(Xl  )>0ALG(x2)>0] 

The  derivation  in  figure  3  guarantees  that  IDR'  is  compatible  with  the  well- 
founded  ordering.  After  simplifying  IDR'  we  have 

IDR'(x0,x1,x2)  =   BAG(x0)=BAG(x1)UBAG(x2)  A  LGU-,  )>0  ALG(x2)>0. 

3-2  Reducing  a  Quantified  Predicate  to  a  Target  Language  Expression 

The  predicate  PRIM(x)  in  the  divide  and  conquer  schema  is  intended  to  dis- 
tinguish nondecomposable  from  decomposable  inputs.  In  the  QSORT  example  it  is 
sufficient  for  -PRIM(xq)  to  be  a  XQ-precondition  of 

Vxq3x1  3x2  IDR'(xq,x1  ,x2) 
i.e.  a  list  is  decomposable  only  if  there  are  lists  into  which  it  can  decompose. 
The  deduction  in  figure  4  yields  the  precondition  LG(aQ)>1  and  after  some  simple 
manipulations  LG(x)CI  and  LG(x)>1  can  be  substituted  for  PRIM(x)  and  ~PRLM(x) 
respectively  in  QSORT.  One  additional  mechanism  is  needed  to  correctly  handle 
this  example.  The  reduction/composition  rule  R1  treats  each  subgoal  indepen- 
dently and  combines  the  returned  substitutions  into  their  unifying  composition. 
This  treatment  does  not  work  well  when  the  subgoals  have  common  variables.  Most 
theorem  proving  systems  allow  substitutions  in  one  subgoal  to  be  applied  to  the 
other  (since  different  substitutions  may  be  found  independently  for  the  same 
variable)  and  we  follow  this  practice  here. 

3-3  Simple  Code  Generation  through  Substitution  of  a  Term  for  an  Output  Vari- 
able. 

With  the  PRIM  predicate  in  hand  the  synthesis  process  can  proceed  to  the 
task  of  finding  a  target  language  expression  to  handle  primitive  inputs  in  the 
quicksort  algorithm.  A  correctness  formula  for  the  primitive  branch  of  the 
quicksort  algorithm  is: 

Vx3z[LG(x)<1    =>    ORD(z)    A  PERM(x,z)]. 

The  deduction  in  figure  5  shows  that  T  is  a  xz-precondition  of  this  formula  thus 
proving  its  validity  in  TT.  The  substitution  gives  us  a  value  for  z  for  any  x, 
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<LG(a0)>1>     BAG(a0)=BAG(x1)UBAG(x2)    A  IG(^  )>0  A  LG(x2)>0 


<T>     LG(w1)>0     e1        <T>     LG(w2)>0     92 
R5+lb10  I  R5+lb1 0 

<T>     x1=cons(j1  ,w1  )     9-|        <T>     x2=cons(  j2,w2)     92 
P1  +lb1  P1  +lb1 


<LG(aQ)>1>     EAG(a0)=BAG(cons(j1  ,w1  ))  UBAG(cons(  j2,w2)) 

A  ri  oib9 


R9+lb5, 
Ib7,lb8 


<LG(a0)>1>     BAG(a0)={j1|  UBAG(w1  )  U  { j2l  UBAG(w2) 


<T>     cons(  j1  ,w>|  )=cons(i1  ,y1  )       <T>     cons(  j2,w2)=cons(i2,y2) 
P1+lb1,nO  P1+lb1,nO 


<LG(a0)>1>     BAG(a0)=  { j1  ,  j2|  U  BAG  ( append  (w.,  ,w2)) 

R6+lb9 
<LG(aQ)>1>     aQ=cons(j-|,   cons(j2,   append ( w^  ,w2) ) ) 

R5+lb10 
<LG(aQ)>1>     LG"(aQ)>1 
P3 

where  9-j  =  |cons(j^  ,w^  )/x^  }  and  9?  =  {cons(  j2,w2)/x2} 

Figure  4-   Generating  a  target  language  expression  for  -PRIM 
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<T>  LG(a)<1  =»  ORD(z)  A  BAG(a)=BAG(z)   {a/z} 

R8a 

<T>  ORD(z)  A  BAG(a)=BAG(z)   {a/z} 
{LG(a)<l} 


<T>  ORD(z)   [a/z}     <T>  BAG(a)=BAG(z)   (a/zj 
!LG(a)<l}  (LG(a)<l! 


P1 
'R6+lb3 

<T>  LG(z)<1   {a/z} 

{LG(a)<_1  | 

PI 

Figure  5-  Finding  a  target  language  term 

namely  x  itself.  Thus  the  primitive  branch  of  our  quicksort  is  completed  since 
x  is  the  desired  output  value.  The  target  algorithm  now  has  the  form 

QSORT(x)  =  if 

LG(x)<_1  ->  QSORT  :=  x  0 
LG(x)>1  -»  .  .  . 
fi 

3.4  Completion  of  the  Partial  Specification  of  a  Subalgorithm 

The  next  step  in  the  synthesis  provides  our  final  example  and  completes  the 
construction  of  the  top  level  algorithm  for  QSORT.  The  nonprimitive  branch  of 
QSORT  has  two  uninterpreted  functions  COMPOSE  and  DECOMPOSE  which  have  partial 
specifications  based  on  OCR  and  IDR  respectively.  We  look  for  a  known  target 
language  function  satisfying  either  partial  specification  and  find  that  the 
function  APPEND,  which  appends  one  list  onto  the  end  of  another,  satisfies  the 
(partial)  specification  for  COMPOSE.  The  algorithm  schema  then  becomes: 
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QSORT(x)  =  if 

LG(x)<1  ->  QSORT  :=  x  D 

LG(x)>1  -»  (x-pXg)  :=  DECOMPOSE(x); 

(z1,z2)  :=  (QS0RT(x1),QS0RT(x2)); 
QSORT  :=  APPEND  (z^Zg) 
fi 

where  subalgorithm  DECOMPOSE  remains  to  be  synthesized  and  has  partial  specifi- 
cation 

DECOMPOSE(x)  =  (x.,,x2)  such  that  [LG(x)>1  =»  (BAG(x)=BAG(Xl  )  UBAG(x2)  A 
LG(x1)>0  A  LG(x2)>0)] 
where  DECOMPOSE:  LIST( H )  ->  LIST(  IN  )2 . 

'The  concern  now  is  to  find  any  additional  output  conditions  needed  by  DECOMPOSE 
in  order  to  make  QSORT  satisfy  its  formal  specifications.  A  sufficient  condi- 
tion for  the  total  correctness  of  QSORT  [10]  is: 

Vx0\/x1  \/ yi2\J z0\/ z}  \/z2  [[  BAG(xq)  =  BAG(X1)  U  BAG(x2)  A 

LG(x1  )>0  A  LG(x2)>0  A 
BAG(x1)  =  BAG(z1)  A  0RD(z1  )  A 
BAG(x2)  =  BAG(z2)  A  0RD(z2)  A 

zQ  =  APPEND (z1,z2)]  =*>  (BAG(xq)  =  BAG(zQ)   A  0RD(zQ))] 

(6) 

If  (6)  is  not  valid  it  is  because  the  specification  of  DECOMPOSE  is  too  weak. 
We  seek  therefore  a  XqX^ x2-precondition  of  (6)  and  add  it  to  the  output  specifi- 
cation of  DECOMPOSE.  Preparing  (6)  results  in  the  substitution  of  skolem  con- 
stants a^,b-|  ,b2,CQ,c-|  ,c2  for  Xq,x^  ,x2,Zq,z^  ,z2  respectively.  Let  H  denote  the 
set  of  conjuncts  in  the  antecedent  of  the  prepared  correctness  formula  and  A  the 
consequent.  An  expression  of  the  form  P(ALL(B))  will  be  used  to  abbreviate 
\/x€B  P(x)  where  B  is  a  bag  variable.  The  derivations  given  in  figures  6a  and 
6b  yield 

ALL(BAG(x1 ) ) <ALL(BAG(x2 ) ) . 

Strengthening  DECOMPOSE  with  this  precondition  we  obtain  the  complete  specifica- 
tion 
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<T>     BAG(a0)=BAG(c0) 

|  cQ= APPEND  (c,,c2)}  UH 


R9 


<T>     BAG(  a0)=BAG( APPEND ( c1  ,c2)) 

H 

R9+lb5 

<T>     BAG(aQ)=BAG(c1  ) UBAG(c2) 
|BAG(b1 )=BAG(c1  ) ,BAG(b2)=BAG(c2) }  UH 


R9 


<T>     BAG(a0)=BAG(b1  )  UBAG(b2 
P1 


BAG(a0)=BAG(b1  )  UBAG(b2; 
;BAG(a0)=BAG(b1  )  UBAG(b2)] 


<T>     ORD(c1 ) 

|ORD(c1)}  UH 

PI 


Figure  6a.  Nonprimitive  branch  of  QSORT 


<P>  0RD(c0) 
ic0=APPEND(c1,c2)}  UH 


R9 


<P>     ORD ( APPEND ( c1 ,c2)) 
H 


R5+lb4,R1 


<T>     0RD(c2) 

{0RD(c2)j  UH 

PI 


<P>     ALL(BAG(Cl))<ALL(BAG(c2)) 
{BAG(c1  )=BAG(b1  ) ,   BAG(c2)=BAG(b2) |  UH 


/R9 

<P>     ALLtBAGCb-, ) )<ALL(BAG(b2) ) 
H 

/R8b 

<P>     ~H  V  P 

P3 

where  P  is  ALL(BAG(b1  ))<AI£(BAG(b2) ) 

Eigure  6b.  Completing  the  specification  of  DECOMPOSE 
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DECOMPOSE(x)  =  (x1,x2)  such  that  [LG(x)>1  =^>  (BAG(x)=BAG(x1  )  U  BAG(x2)  A 
LG(*i)>0  A  LG(x2)>0  A  ALL(BAG(x1))<ALL(BAG(x2))] 

where  DECOMPOSE:  LIST(M)  -»  LIST(]N)2. 

The  synthesis  process  is  then  recursively  invoked  to  design  an  algorithm  meeting 
these  specifications. 

The  synthesis  system  from  which  we've  drawn  the  examples  is  an  attempt  to 
obtain  increased  synthesis  performance  by  1  )  dividing  the  synthesis  task  into  a 
number  of  relatively  small  deductive  tasks,  and  2)  using  large  amounts  of 
knowledge  about  programming.  The  system  makes  use  of  two  types  of  programming 
knowledge:  1)  control  strategy  knowledge  encoded  by  program  schemas  (such  as  the 
schema  for  divide  and  conquer  used  above)  and  their  associated  correctness  sche- 
mas, and  2)  data  structure  knowledge  represented  in  part  by  the  known  theorems 
of  TT.  Other  recent  deductive  approaches  to  program  synthesis  [1 ,4,6]  also  make 
use  of  data  structure  knowledge,  but  have  different  approaches  to  representing 
control  knowledge  and  tend  to  construct  programs  on  the  basis  of  a  single  large 
deductive  task. 

4.  Conclusion 

In  this  paper  we  have  defined  a  new  deductive  problem,  that  of  finding  a 
precondition  of  a  given  formula,  and  presented  a  formal  system  within  which 
preconditions  can  be  derived.  We  have  tried  to  convey  a  sense  of  the  flexibil- 
ity and  usefulness  of  such  a  system  through  a  number  of  examples  drawn  from  the 
domain  of  program  synthesis.  We  are  currently  implementing  a  system  based  on 
the  one  described  here  and  hope  to  report  on  such  issues  as  formula  complexity 
measures  and  control,  which  we  have  largely  ignored  here,  in  a  future  paper. 


APPENDIX 


Listed  below  are  the  known  theorems  used  in  the  examples  of  this  paper.   It  is 
important  that  these  assertions  are  expressed  in  their  strongest  form  (i.e.,  as 
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equivalences  rather  than  implications)  whenever  possible,  so  that  it  can  be 

determined  whether  a  weakest  precondition  has  been  derived  or  not.  Often  a 

theorem  is  used  in  one  direction  only  although  it  may  be  stated  as  an 
equivalence. 

Propositional  theorems 

p1  .  A  V  ~A 

p2.  -(A  A  ~A) 

p3.  T  A  A  »  A 

p4.  T  V  A  s  T 

p5.  P  A  A  =  F 

p6.  P  V  A  a  A 

p7.  -(A  A  B)  m   ~A  V  ~B 

p8.  ~(A  V  B)  =  ~A  A  ~B 

p9.  A  A  (B  V  C)  ^  (A  A  B)  V  (A  A  C) 

p10.  A  V  (B  A  C)  =  (A  V  B)  A  (A  V  C) 

p11.  (A  =¥    B)  m    (~  A  V  B) 

p12.  A  V  (A  A  B)  s  A 

p12.  A  A  (A  V  B)  a  A 

Squality  theorems 

e1 .  P(x)  A  x=y  =  P(y)  A  x=y   where  P(x)  is  a  formula  depending  on  term  x. 

Natural  number  theorems 

Let  i,j,k  denote  variables  of  type  IT . 

nO.  i=i 

n1 .  i>0 

n2.  i=0  V  i>0 

n3.  i<j  V  i>d 

n4.  i<j  V  i>j 

n5.  ~(i<j  A  i>j) 

n6.  i+j>i  =  j>0 

n7.  ~(i>k)  a  i<k 

n8.  ~(i<k)  =  i>k 

n9-  i>k-|  A  j>^2  =*  i+j>ki+k2+1 
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List  and  Bag  theorems 

Let  Wq,w1  ,w2  vary  over  LIST(IN),  and  let  B1  ,B2  vary  over  BAGS  (II). 

Ib1  •  Wq  =  Wq 

1U2.  BAG(wQ)=BAG(w1  )  U  BAG(w2)  =»  LG(wQ)=LG(w1  )+LG(w2) 

lb3.  LG(wQ)<1  =>  0RD(w0) 

lb4.    [0RD(w1)    A  0RD(w2)    A  ALL(BAG(W1  ) )<ALL(BAG(w2) )]    =       ORD ( APPEND ( w-,  ,w2) ) 

lb5.  BAG ( APPEND ( w0, w1 ))   =  BAG(wQ)    U  BAG(w1  ) 

lb6 .  B1  =  B1 

lb7.   (i1}U{i2}=  (i^l 

lb8.  B1  UB2  =  B2UB1 

lb9-  w1  =cons(i0,   cons(i1  , . .  .cons(in,w2) . . . ) )    =>   3AG(w-,  )  =  U0,i1  , . . .  ,in}  UBAG(w2) 
lb10.  Wq=  cons(i0,cons(i1  ,...cons(in,w1 )...))    ■  LG(w0)>n 
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